EV Observe - Configure Azure AD as a SAML Identity Provider
SAML (Security Assertion Markup Language) is used to enable single sign-on (SSO) between an identity provider (IDP) and a service provider.
The procedure is used to enable SAML 2.0 authentication between EV Observe (the service provider) and the Azure AD platform (the identity provider). Once Azure has authenticated users, they will be logged in to EV Observe using their Azure AD account.
Notes
- Only administrators can configure SAML authentication for Azure AD.
Prerequisites
- You must have an Azure subscription. If this is not the case, you can create a free account, or you can buy an Azure Pay-As-You-Go subscription.
See the procedure. - You must have the relevant accounts and access rights to the services you want to interface on the Azure portal.
Procedure: How to configure SAML authentication
Step 1: Retrieve information on your service provider, EV Observe
SAML_InfoServiceProvider
Note: You must be authorized to access the Administration menu.
1. Go to the EV Observe Web app.
2. Select Administration > Integration > SAML in the menu.
3. (optional) Modify the default name of the SAML authentication.
4. Click Export XML to save the metadata file on your workstation. You must register EV Observe on the Azure AD platform (step 2).
Step 2: Register your service provider, EV Observe on the Azure AD platform (identity provider)
Step 2.a: Access the Azure portal
1. Log in to the Azure portal using your Azure account.
2. (optional) Select the relevant environment if you have multiple tenants.
Step 2.b: Register a new enterprise application on the Azure portal and retrieve the ID
1. Search for the Enterprise Applications service in the list of Azure services or click the link below to access the service directly.
Microsoft Azure: Enterprise Applications
The list of enterprise applications previously registered on the Azure portal will appear.
2. Click + New application and click + Create your own application.
3. Specify the information required for creating the application.
- Enter the name of the new application.
- Select the Integrate any other application you don’t find in the gallery option to manually configure new applications not available in the gallery.
- Click Create.
An overview of the new application will appear.
Step 2.c: Enable SAML authentication
1. Select Single sign-on in the left pane and click SAML.
The SAML configuration page will appear.
2. Click Upload metadata file and select the XML file of the EV Observe platform that you saved on your workstation in step 1.
3. Check that the values displayed in the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) fields are identical to those in EV Observe.
Note: These values were stored in your text editor in step 1: Entity ID and Assertion Consumer Service URL.
4. Save the SAML configuration.
- Click Save.
- Select No, I'll test later when the message asking if you want to run a test appears.
5. Download the Azure AD federation metadata XML file required for enabling SAML authentication on the EV Observe platform.
- Go to the SAML Signing Certificate section.
- Save the file on your workstation.
The metadata file is generated by the identity provider. It contains the configuration information required by EV Observe for configuring SAML authentication in step 5.
Step 3: Configure SAML authentication in EV Observe
SAML_ConfigureEVObserve
1. Return to the EV Observe Web app.
2. Open the SAML configuration window.
3. Import the metadata file generated by the identity provider.
- Click Import XML.
- Select the file you downloaded on your workstation when you registered EV Observe on the identity provider platform in step 2.
4. Ensure that the EV Observe login is identical to the user registered with the identity provider by entering the mail value in the Username attribute field.
5. Click Enable SAML Authentication.
6. Configure user access for SAML authentication.